Thomas noticed it's easy to embed an executable inside an RTF file and for the user to execute it. By default Windows Wordpad is the program to handle RTF files. The file is inserted as an OLE object and appears with the file name below it.

The trick Thomas shows is to rename the file, which one does with the Object Packager program. At this point, the program executes if the user double-clicks, even though the file is not named with a .EXE extension anymore. So the attack scenario is to get the user to open the object.

The important news is that Thomas discovered that most antivirus products do not scan objects embedded inside RTF files! He ran a sample with the EICAR test inside through VirusTotal, and 14 products, all of which detected EICAR outside of the RTF, missed it inside. (This, incidentally, is exactly the sort of test for which EICAR exists.)Further testing on my own shows that Windows Vista is a little more intelligent about it. I put the Windows SORT.EXE file into an RTF file and renamed it. Vista did not allow me to remove the final file extension, so renaming it to SORT.TXT resulted in SORT.TXT.EXE. (See the screen capture
.)

Furthermore, if I tried to run the embedded object Vista threw up a rather dire warning
. Windows XP SP2 does issue its standard warning if no code signature can be found on the executable, and earlier Windows versions just run the program.